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Abstract 

We describe an algebra of Edge- Valued Decision Diagrams (EVMDDs) to encode arithmetic 
functions and its implementation in a model checking library. We provide efficient algorithms for 
manipulating EVMDDs and review the theoretical time complexity of these algorithms for all basic 
arithmetic and relational operators. We also demonstrate that the time complexity of the generic 
recursive algorithm for applying a binary operator on EVMDDs is no worse than that of Multi- 
Terminal Decision Diagrams. 

We have implemented a new symbolic model checker with the intention to represent in one 
formalism the best techniques available at the moment across a spectrum of existing tools. Compared 
to the CUDD package, our tool is several orders of magnitude faster. 


1 Introduction 

Binary decision diagrams (BDD) [3] have revolutionized the reachability analysis and model checking 
technology. Arithmetic decision diagrams [2], also called Multi-Terminal Binary Decision Diagrams 
(MTBDD) [8] are the natural extension of regular BDDs to arithmetic functions. They take advantage of 
the symbolic encoding scheme of BDDs, but functions with large co-domains do not usually have a very 
compact representation because there are less chances for suffixes to be shared. 

Edge-valued decision diagrams have been previously introduced, but only scarcely used. An early 
version, the edge valued binary decision diagrams (EVBDD) [1 1], is particularly useful when represent- 
ing both arithmetic and logic functions, which is the case for discrete state model checking. However, 
EVBDD have only been applied to rather obscure applications: computing the probability spectrum and 
the Reed-Muller spectrum of (pseudo)-Boolean functions. 

Binary Moment Diagrams [4] were designed to overcome the limitations of BDDs/EVBDDs when 
encoding multiplier functions. However, their efficiency seems to be limited only to this particular type of 
functions. A new canonization rule for edge-valued decision diagrams enabling them to encode functions 
in Z U {+°°} was introduced in [6] along with EVMDDs, an extension to multi-way diagrams (MDD) [9], 
but, again, this was applied to a very specific task, of finding minimum length counterexamples for safety 
properties. Later, EVMDDs have been also used for partial reachability analysis. 

In this paper we first present a theoretical comparison between EVMDDs and MTMDDs for building 
the transition relation of discrete state systems before dealing with an implementation in a model checker 
along with state-of-the-art algorithms for state space construction. 

2 Background 

2.1 Discrete-state Systems 

A discrete-state model is a triple (S,Sq,T), where the discrete set S is the potential state space of the 
model; the set So C S contains the initial states', and T : S — > 2 s is the transition function specifying 
which states can be reached from a given state in one step, which we extend to sets: T(X) — [J T(i). 

iex 

We consider structured systems modeled as a collection of K submodels. A (global) system state i is 
then a V-tuple (i K ,...,ii), where i* is the local state for submodel k, for K > k > 1 , and S is given by 
Sk x • • • x Si, the cross-product of K local state spaces Sk, which we identify with {0, . . since 
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we assume that S is finite. The (reachable) state space R C S is the smallest set containing So and closed 
with respect to T, i.e. R — SqUT(So) UT{T(Sq) U • • • = T*(Sq). Thus, R is the least fixpoint of function 
X h- > S 0 U T(X). 

2.2 Decision Diagrams 

We discuss the extension of BDDs to integer variables, i.e., multi-valued decision diagrams (MDDs) 
[9]. We assume that the variables along any path from the root must follow the order xk . Or- 

dered MDDs can be either reduced (no duplicate nodes and no node with all edges pointing to the same 
node, but edges possibly spanning multiple levels) or quasi-reduced (no duplicate nodes, and all edges 
spanning exactly one level), either form being canonical. 

3 EVMDDs 

Definition 1. An EVMDD on a group (G, *), is a pair A — (v, n), where v € G is the edge value also 
denoted as A.v al and n is a node also denoted A. node. 

A node n is either the unique terminal node (0,e) where e is the identity element of G, or a pair (k,p) 
where 1 < k < K and p is an array of edges of size n k (cardinality of Sk). The first element of the pair 
will be denoted n. level and, when relevant, the i-th element in the array will be denoted by n[i\. 

Definition 2. For a node n with n . level = k and (4, . . . ,4) € Sk x • • • x Si, we define n(ik, ns 

n[ik\.v al ifn [4] .node. level = 0 and n[4]-val*n[4]-node(4[! t ]. no de.ieveb • • • > 4) otherwise. 

The function encoded by an EVMDD A, f : S — > G, (ijc, ■ ■ ■ ,h) 1 — > A.val*A.node(G.node.ievei, ■ • • ,4) is 
the repetitive application of law * on the edge values along the path from the root to the terminal node, 
corresponding to arcs ik, for K >k> 1 ; 

Definition 3. A canonical node is either the terminal node or a node n such that n [0] .val = e. 

A canonical EVMDD contains only canonical nodes. 

It can be proved that any function / has a unique canonical EVMDD representation [6]. 

Examples of graph representations of EVMDDs are given in Figure 1 . 



Figure 1 : EVMDDs on (Z,+) representing the same function / : {0, 1,2} x {0, 1} — > Z, (x 2 ,x{) >—>x 2 -x\ . 
The leftmost EVMDD is reduced while the others are quasi-reduced. The rightmost EVMDD is not 
canonical. 

EVMDDs can be used when even the algebraic structure G is not a group. For example, [6] of- 
fers a canonization rule for N U {+°°}. Also, (Z, x) that can be handled with the canonization rule 
“gcd{«[/].val I i 6 S„.ievei} = 1 and (n[0].val, . . level]- val) >i ex 0”. 
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4 EVMDDs compared to MTMDDs 

MTBDDs are commonly used in model checking to build the transition relation of discrete- state systems. 
In this section we show that EVMDDs are at least as suited to that purpose and oftentimes significantly 
better. In the following, we choose, without loss of generality, (G,*) = (Z,+). 

4.1 Space Complexity 

Theorem 1. For any function f, the number of nodes of the EVMDD representing f is at most the number 
of nodes of the MTMDD representing the same function f . 1 


4.2 Time complexity 

Section 2 of [8] gives an algorithm to compute any binary operation on BDDs. The apply algorithm can 

(n \ 

be easily generalized to MDDs for any n-ary operator It computes its result in time O ni/‘i • 

V- ■ / 

where \f \ is the size (in nodes) of the MTMDD representing operand i. 

Section 2.2 of [10] gives the equivalent apply algorithm for edge-valued decision diagrams. 

Theorem 2. The number of recursive calls of the generic apply algorithm for MTMDDs is equal to that 
for EVMDDs representing the same function [10]. 


Hence, EVMDD computations are at least not worse than the MTMDD counterpart. However, par- 
ticular operators □„ may enable much better algorithms on EVMDDs. Below is a synopsis of the basic 
algorithms to manipulate EVMDDs. 

• Addition of constant (/ + c): 0(1). 

• Multiplication with scalar (/ x c): 0(|/|) [10]. 

. Addition (f+g): 0(|/| \g\) [10]. 

• Remainder and Euclidean Division: 0(|/|c). 

• Minimum and Maximum: 0(|/|). 

• Relational Operator with constant (/ < c): not better in the worst case, 
but in practice the complexity can be improved, by using min and max. 

• Relational Operators (/ < gy. can be computed as (/ — g < 0). 


4.3 Multiplication 

As stated in [10], the result of a multiplication can have an EVMDD representation of exponential size in 

K 

terms of the operands. For example, let S be {0, 1} A , / : ( xk , ■ ■ ■ ,xi) i— > and g : (xk, ■ ■ . ,x\) i— > 

k= 2 

x \ , / and g both have an EVMDD representation with K+ 1 nodes whereas f-g has 2 K nodes. There- 
fore, we cannot expect to find an algorithm with better worst-case complexity. However, the following 
equation, coming from the decomposition of (v,n) in v+ (0 pi) and (v',n') in v' + (0 ,n') 

(v,«) x (v 1 pi 1 ) t= vv' + v(0,n') + v'(0,n) + (0,n) x (0 pi 1 ) 

1 All proofs and algorithms are given in a technical report [12], to appear. 
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suggests an alternative algorithm. 

The first product is an integer multiplication done in constant time. The next two are multiplications 
by a constant done in O (|/|) and O (|g|), respectively. The last one is done through recursive calls. The 
first addition takes constant time, the second one takes 0(|/| |g|) and produce a result of size at most 
|/| |g|, hence a cost of 0(|/| |g| |/g|) for the last addition. The recursive function is called 0(|/| |g|) 
times, hence a final complexity of O (|/| 2 g| 2 \fg\). 

Although we were unable to theoretically compare this algorithm to the generic apply algorithm, it 
seems to perform far better on practical cases. 

5 Implementation 


Model 

Reachable 

CUDD 

SMART 

EVMDD 

size 

states 

(in s) 

(in s) 

(in s) 

Dining philosophers 

100 

4x 10“ 

11.42 

1.49 

0.03 

200 

2 x 10 125 

3054.69 

3.03 

0.07 

15000 

2 x 10 9404 

— 

— 

195.29 

Round robin mutual exclusion protocol 

40 

9x 10 13 

4.44 

0.44 

0.08 

100 

2 x 10 32 

— 

2.84 

1.17 

200 

7 x 10 62 

— 

20.02 

9.14 

Slotted ring protocol 

10 

8 x 10 9 

1.16 

0.19 

0.01 

20 

2 x 10 2 ° 

— 

0.71 

0.04 

200 

8 x 10 211 

— 

412.27 

25.97 


Model 

Reachable 

CUDD 

SMART 

EVMDD 

size 

states 

(in s) 

(in s) 

(in s) 

Kanban assembly 1 

line 

15 

4 x 10 IU 

80.43 

3.41 

0.01 

20 

8x 10 11 

2071.58 

8.23 

0.02 

400 

6 X 10 25 

— 

— 

74.89 

Knights problem 

5 

6x 10' 

1024.42 

5.29 

0.27 

7 

1 x 10 15 

— 

167.41 

3.46 

9 

8 x 10 24 

— 

— 

32.20 

Randomized leader election protocol 

6 

2 x 10 b 

4.22 

8.42 

0.86 

9 

5x 10 9 

— 

954.81 

18.89 

11 

9x 10 11 

— 

— 

109.25 


Table 1 : Execution times for building state space using our library or CUDD (“ — ” means “> lhour”). 

Symbolic model checkers, such as (Nu)SMV or SAL, are based on the library CUDD[11 which offers 
an efficient implementation of BDDs and MTBDDs. Our goal was to implement a new symbolic model 
checking library featuring EVMDDs for the transition relation construction and saturation^ ] for state 
space generation. We also developed a basic model checking front-end to test the library and compare it 
to CUDD. Binaries and source code for both the EVMDD library and the model checker are available at 
http :/ /research . nianet . org/ ~ radu/ evmdd/. 

5.1 Encoding the Transition Relation 

We represent the transition relation T as a disjunction of events which is well suited for globally- 
asynchronous locally-synchronous systems, where each event encodes some local transition. To avoid 
the expensive coding of lot of identities, we use th e full-identity reduction from [7]. 

5.2 State Space Construction 

For state space construction, we use the Saturation algorithm [5] instead of the classical breadth first 
search exploration. This heuristic often gives spectacular improvements when building the state spaces of 
globally-asynchronous locally-synchronous systems. This is certainly the major source of improvement 
of our implementation over existing BDD libraries. 
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5.3 Experimental Results 

Our new tool comprises 7K lines of ANSI-C code for the library and 4K lines for the simple model 
checker that provides a common interface to both our library and CUDD. Table 1 shows execution times 
for building the state space on a suite of classical models. Programs to generate all models can be found 
in the examples folder of our source code distribution. 

We collected the results on a Linux machine with Intel Core 2 processor, 1 .2GHz, 1.5GB of memory. 

Note that using other existing tools, such as NuSMV or SAL on these models, we get execution times 
of the same order of magnitude as with the CUDD interface of our tool. 

Compared to the first implementation of saturation algorithm [5] in the tool SMART, our new im- 
plementation is always several (up to a few dozens) times faster. This is due to both the encoding of the 
transition relation and our simple C implementation in comparison to the object-oriented C++ version. 

6 Conclusions and Future Work 

We have studied the advantages of the EVMDD data structure over the widely used MTBDDs for the 
construction of transition relations of finite state systems and implemented them in a library, along with 
state-of-the-art algorithms for state space generation. We obtained execution times several orders of 
magnitude faster than the CUDD library and classical algorithms, with a reduced memory usage enabling 
to handle extremely large systems. Luture work should focus primarily on integrating our library into the 
SAL model checker. 

Our results show that symbolic model checking remains an efficient technique for analyzing globally- 
asynchronous locally-synchronous systems and significant improvements are still possible. 
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